Compromised Browser Extensions - A Growing Threat Vector

This report documents a January 2025 campaign where a targeted phishing supply-chain attack compromised dozens of Chrome extensions (notably Cyberhaven and GraphQL Network Inspector), impacting an estimated 2.6 million users; malicious updates added service-worker and content-script logic to fetch C2 configurations and exfiltrate data (targeting Facebook and ChatGPT-related pages), while other extensions and families like Rilide acted as information stealers. The report includes lists of compromised extension IDs and versions, malicious JavaScript samples and decoded configurations, analysis findings (Booz Allen/Sekoia), and mitigation recommendations for home users and corporate IT (extension permission review and Intune/Defender controls).